Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [month] [year] [list] 
Date: Mon, 27 Oct 2008 17:57:58 +1100
From: Steffen Joeris <steffen.joeris@...lelinux.de>
To: oss-security <oss-security@...ts.openwall.com>
Cc: coley@...re.org
Subject: CVE id request: blender

Hi

There is a programming error in blender that can lead to arbitrary code 
execution.

Description:
Blender's BPY_interface calls PySys_SetArgv such that Python prepends
sys.path with an empty string.  This allows the possibility to run
arbitrary code on the user's system if there is a python file in
Blender's working directory named the same as one that Blender's python
scripts try to import.

Debian Bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503632

Could I please get a CVE id for this?

Cheers
Steffen

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ